From 25th May 2018, the Data Protection Act (DPA) will be replaced by the General Data Protection Regulation (GDPR) – meaning that the way you manage all data and information within your school will change.
Stuffing paper into filing cabinets, keeping records and databases of student and staff information, monitoring what’s happening day-to-day on the premises through CCTV – today’s educational landscape is packed with data.
Under current legislation you already have a duty of care to ensure that this data is kept safe and secure. And with the GDPR coming into effect you’ll have an increased responsibility to ensure this information – regardless of what form it’s kept in – is managed in the right way in compliance with this new regulation.
Non-compliance can currently see fines of up to £500,000 being imposed from the Information Commissioners Office (ICO), as well as Ofsted ratings being seriously affected if there isn’t correct policies and procedures in place when it comes to data and IT security.
As such, the ICO are urging educational providers to start thinking about the impact the GDPR will have on them and to start putting policies and practices into place ahead of the change.
But what actually is it, exactly how will GDPR affect schools and what should you be doing about it?
Let’s take a look:
GDPR – what is it?
Put simply, the GDPR is a new data protection regulation that’s designed to strengthen and unify the safety and security of all data held within an organisation.
It will entirely replace the current Data Protection Act, making radical changes to many existing data protection rules and regulations that many organisations such as schools, academies and other educational establishments currently adhere to under the DPA.
How will GDPR affect schools?
Whilst you may see some similarities between the GDPR and the DPA, there will be some significant differences that will have a real impact on the way data is handled and ultimately affect the way you manage information in your school.
Here’s just a few of the key things to watch out for:
- Penalties – under the DPA, non-compliance could see fines of up to £500,000 imposed by the ICO. However, failure to comply under the GDPR could see fines of up to €20 million (or 4% of global turnover – whichever is greater) for both the Data Controller (i.e. you) and anyone else involved in the chain such as the Data Processors (i.e. your recycling partner). That’s a hefty price to pay for not following the rules!
- Contracts – whilst it’s good practice to show due diligence when choosing an IT recycling partner, there’s currently no formal obligation to have a contract in place with your chosen Data Processor. But this is all set to change. Under the GDPR it will be illegal to not have a formal contract or Service Level Agreement (SLA) in place with your chosen partner.
- Data Processors – under the GDPR it will also be a criminal offence to choose an IT recycling partner/Data Processor who doesn’t hold the minimum competencies and accreditations for IT asset disposal (i.e. ADISA, ISO 27001, Blancco etc.). You must be able to demonstrate that you are working with an accredited company when it comes to disposing of your data bearing end of life IT assets.
So, what should you be doing to prevent non-compliance and hefty fines?
If you’re already complying with the DPA then chances are you already have some strict policies in place. But this doesn’t mean that just because you comply with DPA regulation, you’re automatically going to be compliant under the new GDPR law.
Whilst a number of the GDPR’s main principles are similar to those in the Data Protection Act, as we’ve seen, there will inevitably be some new elements and significant enhancements – meaning you may have to do some things differently.
As such, the ICO have put together a guide on Preparing for the General Data Protection Regulation (GDPR). They suggest a number of things you should be starting to do to get yourself ready for the change:
- Awareness – ensure that decision makers and key people in your school are aware that the DPA is changing to the GDPR – they need to appreciate the impact it will have and how the new legislation will affect schools
- Information you hold – organise an information audit and document what personal staff and student data you hold, where it came from and who you share it with
- Communicating privacy information – review your current privacy guidance and put a plan in place for making any necessary changes in time for when GDPR comes into force
- Individuals’ right – check your current procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically
- Subject access requests – update your procedures and plan how you’ll handle requests within the new timescales and provide any additional information
- Legal basis for processing personal data – look at the various types of data processing you carry out, identify your legal basis for carrying it out and document it
- Consent – review how you’re seeking, obtaining and recording consent and whether you need to make any changes
- Students – start thinking what systems you’re going to put in place to verify individuals’ ages and to gather parental or guardian consent for the data processing activity
- Data breaches – make sure you’ve got the right procedures in place to detect, report and investigate a personal data breach
- Data protection by design and data protection impact assessments – begin to work out when to start implementing Privacy Impact Assessments into your school
- Data Protection Officers – designate a Data Protection Officer or someone to take responsibility for data protection compliance
You can read the full guide and the ICO’s recommendations here.
As well as this, there are a few guidelines for best practice that we think could help you out too:
Have an e-safety policy in place
Putting a clearly defined e-safety policy in place is vital in ensuring that all key stakeholders know what needs to be done to remain compliant when the GDPR comes into effect. It also helps to protect not only your students but also all of the data that’s held on the systems within your school. An e-safety policy can help keep everything safe against any occurrence – be it malicious attacks on your network, viruses, phishing, or even the way your end of life hardware is being destroyed.
We’ve seen that both the ICO and Ofsted come down hard on any institution that doesn’t have the correct policies and procedures in place. Best practice is to find a suitable partner who can help you manage all of that in a safe, secure and compliant way – or better yet can do it all for you!
Choose the right partner
As we saw earlier, failure to bring on board a Data Processor that doesn’t meet the obligations set out by the GDPR can seriously impact schools. Therefore, it’s equally as important as all the other points we’ve mentioned (and I personally believe this is a big one to bear in mind) to make sure you’re choosing the right partner to work with when it comes to IT asset disposal. Working with an accredited Data Processor will ensure that any end-of-life data bearing equipment is disposed of and destroyed in a safe, secure and compliant way. These partners will also ensure there’s a legally binding contract or SLA in place to determine the formal processes involved.
There are many IT asset disposal partners out there who can help, who hold accreditations such as ADSIA with Distinction, Blancco, ISO 27001 etc., so that you can be safe in the knowledge that your assets and data are in good hands.
How GDPR will affect schools at the minute is anybody’s guess. And all we know for now is that there are steps to take and best practices to put in place to ensure that, when the GDPR does come into force, you’re ready for it.